You can scan container images for known vulnerabilities and you can observe the results from a system cluster scan or a manual scan in the Carbon Black Cloud console.
Note:
- Image scanning is only applicable for images that are based on Linux operating system packages.
- Image scanning requires CLI Client. See Setting up CLI Client for Image Scanning.
Container images are scanned under the following circumstances:
- Scan is triggered by the Continuous Integration / Continuous Deployment (CI/CD) pipeline or a manual scan. See Manually Rescan a Container Image.
- Kubernetes sensor version update. See Upgrading or Downgrading the Kubernetes Sensor.
- Initial cluster scan of container images at cluster setup. See Adding Clusters and Installing Kubernetes Sensors.
- New vulnerabilities in the Carbon Black Cloud vulnerabilities database.
- Updated file reputation.
Cluster image scanning provides the following benefits:
- Visibility for the container images in your environment.
- Information for found vulnerabilities and available fixes.
- Capability to create exceptions at image level from inside the image scan report.
- Kubernetes policies prevent container images that have substantial vulnerabilities from progressing through the CI/CD pipeline. See Kubernetes Policies.
- File reputation scanning of all deployed images and malware detection. See Detect Malware in a Container Image.
To have the latest information on file reputations, you must refresh the file reputation data that comes in from third-party feed providers, and you must consistently rescan your clusters for newly deployed images.